Turbo Nat problem

[Sebchr]

Hello,

I am using Asus-Merlin on RT-n66u. (great firmware !) and I have trouble with turbo nat. My network is :
Internet----(1.2.3.4)Box-----RT-n66u(192.168.2.254) ----------Server(192.168.2.1)
|---------------Client(192.168.2.249)
Box is used as DMZ to RT-n66u and RT-n66u nat table redirects port 80 to Server

2 monthes ago, my internet provider released a new firmware for my box. In this firmware, loopback is disabled. So, "client" cannot access to Server by using address 1.2.3.4.
So I would like to configure RT-n66u in order to redirect packet from "client" to 1.2.3.4, to Server. So I set following iptabes rules :
iptables -t nat -I PREROUTING -i br0 -d 1.2.3.4 -j DNAT --to-destination 192.168.2.1
iptables -t nat -I POSTROUTING -s 192.168.2.0/24 -d 192.168.2.1 -j MASQUERADE

This configuration is OK if I disable Turbo nat. But if I enable Turbo nat some packet doesn't use Masquerade rule. In fact, I used tcpdump on server :
09:52:38.475055 IP 192.168.2.254.50516 > 192.168.2.1.8080: Flags , seq 3935963517, win 14600, options [mss 1460,sackOK,TS val 35107695 ecr 0,nop,wscale 7], length 0
09:52:38.475128 IP 192.168.2.1.8080 > 192.168.2.254.50516: Flags [S.], seq 1502534616, ack 3935963518, win 14480, options [mss 1460,sackOK,TS val 491531120 ecr 35107695,nop,wscale 6], length 0
09:52:38.475560 IP 192.168.2.254.50516 > 192.168.2.1.8080: Flags [.], ack 1, win 115, options [nop,nop,TS val 35107695 ecr 491531120], length 0
09:52:38.475705 IP 192.168.2.249.50516 > 192.168.2.1.8080: Flags [P.], seq 3935963518:3935964035, ack 1502534617, win 115, options [nop,nop,TS val 35107695 ecr 491531120], length 517

So last line notifies that RT-n66u doesn't apply masquerade rule. But previous packets use masquerade rule.
Why Turbo Nat disable masquerade on some packets?

Best regards

 

[mstombs]

That's exactly how Broadcom CTF fastnat works, packets are routed between switch ports bypassing the Linux kernel netfilter tables which are configured using iptables. It seems to make wrong decision here, but nothing we can do with the closed source binaries.

You are doing the equivalent of "WAN IP localnat loopback", but in your double-nat+dmz configuration your router doesn't know the true WAN IP. There are 2 methods configurable in the asuswrt-merlin web gui, Asus or Merlin - because some folk find one works better than others. Tomato has different methods including 'forwarded only', I guess you could study these and try alternative methods which CTF might like better?

 

[Sebchr]

Thank you. Currently I am using Merlin loopback.
I tried the following the configuration of iptables :
iptables -t mangle -I PREROUTING -i br0 -d 1.2.3.4 -j MARK --set-mark 0xb400
iptables -t nat -I PREROUTING -i br0 -d 1.2.3.4 -j DNAT --to-destination 192.168.2.1

I enabled turbo nat and it seems to be fine. Do you know why ? does mark 0xb400 prevent from using turbo nat ?

 

[mstombs]

It's possible that the mark means Broadcom CTF doesn't touch it, is there any noticeable effect on speed when you are accessing your local server using the WAN IP? Merlin loopback has an additional rule in iptables FORWARD and POSTROUTING, for the loopback to work - I recall the MARK makes this more selective. There is a common problem with local nat loopback that the server might try to reply to the client directly, the POSTROUTING rule should ensure all comms go via the router.

If you are able to access the server using its local IP, perhaps via your hosts file the connection shouldn't have to use nat at all.

 

[RMerlin]

It's possible that the mark means Broadcom CTF doesn't touch it

That's effectively how Asus bypasses CTF when necessary. Any marked packet bypasses CTF. That's why forwarded ports can still work through CTF.

 

[Sebchr]

I didn't notice effect on speed by using wan IP.
Thank you for your answers. CTF bypass is clear now.